I am running the following configuration:
Kerberos 1.4.0
Solaris 9
/usr/lib/ssh/sshd, /usr/bin/ssh

My /etc/pam.conf for sshd is:
sshd auth sufficient pam_krb5.so.1 try_first_pass
sshd auth required pam_unix.so.1

I've even included the password entry into the pam.conf
other password sufficient pam_krb5.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

Here is my problem. Using kadmin, I force expire the password using:

kadmin> modprinc -pwexpire now

After expiration, I then use ssh to log onto a kerberos client,
using the expired kerberos password.
I've modified the local shadow file so that the password field is an "*"!

After expiration, I am still able to log onto the server.

If I expire the shadow file, then I am challenged for a password change...
the password change, via the pam.conf password entry will change the
kerberos password and leave the shadow file with the 0 in the time field of
the shadow file, thus the next time a password is requested, it will again
show the password has expired for that server.

How do I get the sshd / pam_krb5.so.1 to recognize that the kerberos
password has expired???

kinit will show that the password in kerberos has expired... but that
help me to insure that users change their password every 90 days.

Kerberos mailing list Kerberos@mit.edu